US7815106B1 - Multidimensional transaction fraud detection system and method - Google Patents

Multidimensional transaction fraud detection system and method Download PDF

Info

Publication number
US7815106B1
US7815106B1 US11/319,608 US31960805A US7815106B1 US 7815106 B1 US7815106 B1 US 7815106B1 US 31960805 A US31960805 A US 31960805A US 7815106 B1 US7815106 B1 US 7815106B1
Authority
US
United States
Prior art keywords
transaction
individual
processor
data
typical
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US11/319,608
Inventor
James Trent McConnell
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Rakuten Group Inc
Original Assignee
Verizon Corporate Services Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Verizon Corporate Services Group Inc filed Critical Verizon Corporate Services Group Inc
Priority to US11/319,608 priority Critical patent/US7815106B1/en
Assigned to VERIZON CORPORATE SERVICES GROUP INC. reassignment VERIZON CORPORATE SERVICES GROUP INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCCONNELL, JAMES TRENT
Application granted granted Critical
Publication of US7815106B1 publication Critical patent/US7815106B1/en
Assigned to VERIZON PATENT AND LICENSING INC. reassignment VERIZON PATENT AND LICENSING INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: VERIZON CORPORATE SERVICES GROUP INC.
Assigned to RAKUTEN, INC. reassignment RAKUTEN, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: VERIZON PATENT AND LICENSING INC.
Assigned to RAKUTEN GROUP, INC. reassignment RAKUTEN GROUP, INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: RAKUTEN, INC.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/02Marketing; Price estimation or determination; Fundraising
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4016Transaction verification involving fraud or risk level assessment in transaction processing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/102Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measure for e-commerce

Definitions

  • Detection of anomalies in data is a core technology with broad applications: detection of cardiac arrhythmias in ECG data, discovering semiconductor defects from plasma-etch data, detecting network faults from traffic data, ascertaining user interface design defects from user data, etc.
  • detection of unauthorized or malicious users on computer hosts and networks often called intrusion detection.
  • Intrusion detection systems are usually based on logical or physical attacks on a network infrastructure.
  • business transactions are also a source of intrusions, and these intrusions generally go unnoticed because of the lack of security features built into systems that support business transactions.
  • FIG. 1 is a block diagram of an environment in which methods and systems consistent with the present invention may be implemented
  • FIG. 2 is a block diagram illustrating components of an implementation of a transaction system consistent with certain aspects of the present invention
  • FIG. 3 is a block diagram illustrating components of an implementation of a multidimensional detection system consistent with certain aspects of the present invention
  • FIG. 4 is an anomaly detection display consistent with certain aspects of the present invention.
  • FIG. 5 is a flow chart used to explain the steps of an exemplary process for initially handling transactions.
  • FIGS. 6A and 6B are flow charts used to explain the steps of exemplary processes for recording and combining information for transactions and for detecting potential fraud.
  • Methods, systems and articles of manufacture consistent with features and principles of the present invention facilitate the detection of potential fraud in transactions by combining anomaly detection, rule violation and pattern matching operations.
  • a collection of application transactions resulting from using one or more systems determines business patterns or behavior of a user. These patterns are used to detect anomalies in the user's behavior, are compared to business rules for violations, and are compared to historical transaction patterns of the user or other users.
  • a system monitor for example, a person or another system is alerted to the potential fraud.
  • a system may use at least a portion of this information to form a data store for information on user behavior.
  • the data store may store information particular to the behavior of individual users and/or information generally applicable to a set of users.
  • the data store may be used to form (and include) rules for determining validity or appropriateness of user behavior (for example, certain transactions under specific conditions may be considered invalid). Alternatively, or additionally, these rules may be predetermined by a system operator.
  • the data store may be accessed when or nearly when a new transaction is detected by the system. Information indicative of this new transaction may be compared to the information in the data store to determine whether the new transaction is considered to be unusual for the particular user, i.e., an anomaly. If so, that information alone or in combination with information derived from additional transactions involving the same or a different user may initiate a trigger to alert a system monitor of a potential fraud.
  • FIG. 1 is a block diagram of an environment in which methods and systems consistent with the present invention may be implemented.
  • the environment includes a plurality of transaction systems 110 , network 120 , and multidimensional detection system 130 .
  • Transaction systems 110 include systems used to initiate and/or complete and record various transactions.
  • transaction systems 110 include various business related transaction systems such as computer systems controlling customer accounts (e.g., telecommunication accounts and credit card accounts), computer systems controlling employee access to physical facilities (e.g., entry key systems, provisioning systems, and telephone systems) and computer systems controlling organization accounting (e.g., billing systems).
  • Communication between transaction systems 110 and network 120 may utilize a wired connection, a wireless connection, or a combination of a wired and wireless connection.
  • a wired connection e.g., a wireless connection, or a combination of a wired and wireless connection.
  • Network 120 generally provides an infrastructure for devices and systems to communicate data, voice, or a combination of data and voice. Such an infrastructure may support TCP/IP protocols as well as other known protocols for handling transmission of voice and/or data in a network.
  • An existing infrastructure such as a Local Area Network (LAN), Wide Area Network (WAN), Public Switch Telephone Network (PSTN), or the Internet, may be used, in whole or in part, to form network 120 .
  • LAN Local Area Network
  • WAN Wide Area Network
  • PSTN Public Switch Telephone Network
  • Internet may be used, in whole or in part, to form network 120 .
  • Multidimensional detection system 130 facilitates the detection of potential fraud in transactions from the plurality of transaction systems 110 by combining anomaly detection, rule violation and pattern matching operations.
  • a collection of transactions resulting from using one or more of transaction systems 110 determines business patterns or behavior of a user. These patterns are used to detect anomalies in the user's behavior, are compared to business rules for violations, and are compared to historical transaction patterns of the user or other users.
  • multidimensional detection system 130 provides a potential fraud alert to a system monitor (for example a person or another system).
  • Communication between multidimensional detection system 130 and network 120 may utilize a wired connection, a wireless connection, or a combination of a wired and wireless connection. Those skilled in the art will appreciate various connections by themselves or in combinations may be used.
  • FIG. 2 is block diagram illustrating components of an exemplary transaction system 110 .
  • Transaction system 110 includes transaction engine 210 and transaction log 220 . These components are explained in more detail below.
  • Transaction engine 210 initiates and/or completes various transactions.
  • transaction engine 210 comprises a computer system configured to perform certain transactions under control of a user.
  • Transaction engine 210 may include software, hardware, processing systems, memory, support systems, and any other elements that enable transaction engine 210 to perform transactions.
  • transaction engines 210 may include various configurations as required to perform certain transactions.
  • transaction engine 210 may include a billing system that enables a user to credit and debit customer accounts and generate customer bills.
  • Transaction engine 210 may include a customer service computer system that enables a user to control service levels for individual customers (e.g., telephone service, cable television service, internet access).
  • Transaction engine 210 may include a badge access system that enables a user to “badge in” and “badge out” of secure facilities.
  • Transaction engine 210 may include a provisioning system that enables a user to grant and deny access to various enterprise level computers systems and other resources.
  • Transaction engine 210 may include a network access system that enables a user to access certain network content as necessary.
  • the various transaction engines discussed are exemplary.
  • Transaction engine 210 may include any computer system configured to perform transactions.
  • Transaction logs 220 provide a means or mechanism to collect data from business applications of interest.
  • Transaction log 220 comprises, for example, one or more data loggers that record specific data at specific intervals.
  • Transaction log 220 can be implemented using hardware, firmware, software or a combination thereof.
  • transaction log 220 comprises software code that logs data and creates an audit trail for the corresponding transaction engine 210 .
  • the appropriate implementation for transaction log 220 is based upon, for example, the transaction system 110 being monitored, the particular data of interest and the environment within which the monitoring is occurring.
  • transaction log 220 logs data regarding transactions of interest on respective transaction engine 210 .
  • transaction log 220 may log the following data from transactions occurring on transaction engine 220 : system user identification, PC IP address from which a transaction is completed, transaction description, transaction level (for example, a dollar amount), data fields modified by the transaction, identification of any device modified, transaction timing (input of data and output of any result).
  • transaction logs 220 are employed to gather data from transaction engines including, without limitation, computer systems controlling customer accounts (e.g., telecommunication accounts and credit card accounts), computer systems controlling employee access to physical facilities (e.g., entry key systems, provisioning systems, and telephone systems) and computer systems controlling organization accounting (e.g., billing systems).
  • Transaction log 220 may be deployed to collect transaction data from a diverse array of business systems consistent with the teachings of the present invention. The data is then manipulated and used to detect anomalies and potential fraud by multidimensional detection system 130 . Some exemplary deployments for transaction log 220 will help to illustrate. Transaction log 220 may be used to collect transaction data from a customer account management system. In such a deployment, transaction log 220 may collect data about transactions that change customer account parameters (for example, user ID, transaction amount, time of transaction, etc.). Transaction log 220 may be used to collect transaction data from a telephone system. In such a deployment, transaction log 220 may collect data about telephone calls made from an individual's telephone (for example, dialed numbers, duration of calls, time of calls, etc.).
  • Transaction log 220 may be used to collect transaction data from facility security systems. In such a deployment, transaction log 220 may collect data relating to a user's building access (for example, user ID, time of building entry, time of building exit, doorways used, etc.). Transaction log 220 may be used to collect transaction data from enterprise computer networks. In such a deployment, transaction log 220 may collect data about an individual's computer network usage (for example, log-in time, log-out time, Internet accesses, etc.). It will be apparent to those having skill in the art that a vast array of deployments are possible and within the scope of the present invention.
  • FIG. 3 is block diagram illustrating components of an implementation of multidimensional detection system 130 .
  • Multidimensional detection system 130 comprises collection storage 310 , data manipulation system 320 , detection system 330 and monitoring station 340 . The various components are explained in more detail below.
  • Collection storage 310 , collection database 315 and rules database 316 together comprise the operational storage for multidimensional detection system 130 . More specifically, collection storage 310 , collection database 315 and rules database 316 are used to store data received from transaction logs 220 , manipulated data derived from data received from transaction logs 220 , and data used to evaluate data (e.g., patterns, rules, profiles etc.) received from transaction logs 220 . The data received from transaction logs 220 is evaluated using anomaly detection, rule violation and pattern matching operations. A collection of application transaction data derived from transaction logs 220 and resulting from transactions taking place within transaction engines 210 , determines business patterns or behavior of a user.
  • this data is stored in collection database 315 and rules database 316 within collection storage 310 .
  • collection storage 310 comprises any commercially available mass storage medium.
  • collection storage 310 comprises a hard disk drive with storage capacity suitable for storing operational data used to implement methods and systems consistent with the present invention.
  • collection storage 310 comprises an optical disk drive with storage capacity suitable for storing operational data used to implement methods and systems consistent with the present invention. It will be apparent to those having skill in the art that other storage mediums may be used to implement collection storage 310 .
  • collection database 315 and rules database 316 comprise any commercially available program suitable for organizing and providing access to operational data stored within collection storage 310 .
  • collection database 315 and rules database 316 comprise any commercially available relational database. It will be apparent to those having skill in the art that other databases (e.g., network, flat, and hierarchical databases) that provide suitably fast and flexible data access may be used to implement collection database 315 and rules database 316 .
  • Data manipulation system 320 provides a means or mechanism to manipulate data formats.
  • Data manipulation system 320 may include software, hardware, processing systems, memory, support systems, and any other elements that enable data manipulation system 320 to manipulate data.
  • One skilled in the art would realize that data manipulation system 320 may include various configurations depending upon the data sources and the manipulation desired.
  • data manipulation system 320 comprises a computer system configured to normalize data received from transaction logs 220 .
  • transaction data normalizing consider that different business applications may record a user's identity in various ways.
  • data manipulation system 320 normalizes the data to a consistent format.
  • data manipulation system 320 may normalize user identity data to a nine-digit identification number, e.g., social security number.
  • data manipulation system 320 may normalize user identity to a consistent name format, e.g., last name, first name, middle initial. It will be apparent to those having skill in the art, that various normalizing techniques may be used to generate data having a consistent format.
  • Detection system 330 provides a means or mechanism to develop and apply patterns, rules, and user profiles from manipulated transaction data in order to detect anomalies.
  • Detection system 330 may include software, hardware, processing systems, memory, support systems, and any other elements that enable detection system 330 to detect anomalies.
  • detection system 330 may include various configurations depending upon the data sources and the manipulation desired.
  • detection system 330 develops rules, patterns and user profiles that can be used to detect anomalies. For example, detection system 330 may determine a rule based upon the transaction times associated with a particular business application. More particularly, detection system 330 may determine from the normalized transaction records that a particular business application is used most heavily at certain times (e.g., Monday through Friday from 9:00 am to 5:00 pm). In such a case, detection system 330 may define a rule that “flags” transactions outside of the time range as potentially fraudulent. This type of rule may, of course, also take into account normal operating hours associated with the business system. According to another example, detection system may define a rule regarding usage of all business systems by a particular user.
  • detection system 330 may examine all transactions on all systems from a particular user to develop a rule that the particular user requests and completes all transactions, regardless of business application, within the hours of 3:00 pm to 1:00 am on Tuesdays through Saturday. Thus, detection system may flag future transactions from that user outside that time range as potentially fraudulent.
  • Detection system 330 may also determine patterns from normalized transaction data. For example, detection system 330 may develop a pattern to detect salami attacks by reviewing all transactions below a particular threshold from one or more users. More particularly, based on the normalized data, detection system 330 may determine that nearly all transactions within a particular business application exceed a particular threshold. As such, a pattern of a repeated number of transactions below the threshold amount may provide an indication of a salami attack.
  • Detection system 330 may also develop user profiles from the normalized transaction data. Detection system 330 may then use the user profiles to detect potentially fraudulent transactions. According to one embodiment, detection system 330 generates a user profile by sorting all transaction data generated by a particular user and determining characteristics particular to the user from the transaction data. For example, the normalized data, rules and patterns may indicate that a user typically works at a particular location (i.e., work location), using particular business applications, on accounts in a particular geographic area (i.e., transaction location), on transactions of a particular size or value (i.e., transaction size), between the hours of 8:00 am to 5:00 pm weekdays (working hours) and enters and leaves the work facilities four times each day.
  • detection system 330 may define a wide variety of rules, patterns and profiles.
  • Monitoring station 340 provides a monitoring station for potential fraud.
  • Monitoring station 340 may include a personal computer, work station or any other suitable computing device.
  • monitoring station 340 is configured to receive and display to a system monitor (e.g., a person) warning messages about potentially fraudulent transactions from detection system 330 .
  • the warning message may comprise, for example, an identification of the user, the type of transaction, the time of the transaction and the nature of the potential fraud.
  • monitoring station 340 comprises an automated access control system that is configured to receive warning messages about potentially fraudulent transactions and restrict access to the appropriate user or users in response to the warning messages. It will be apparent to one having ordinary skill in the art that various warning messages and potential responses are possible.
  • FIG. 4 is an exemplary display 400 for monitoring station 340 .
  • Display 400 comprises a number of warning messages 410 - 430 .
  • the warning messages 410 - 430 are organized by user.
  • the warning messages comprise a user identification, a list of anomalies detected and a list of potential anomalies detected. It will be apparent to one having ordinary skill in the art that various configurations are possible for monitoring station 340 and the warning messages displayed thereon.
  • FIG. 5 is a flow chart used to explain the steps of an exemplary process for initially handling and collecting transaction data.
  • the process for handling transactions begins with receiving an indication of a user initiated transaction at step 510 .
  • an authorization check is done at step 520 . If the authorization check indicates that the transaction is unauthorized, the method provides an indication of failure at step 530 . If the transaction is authorized, a record of the transaction is generated and stored at step 540 .
  • the method of FIG. 5 comprises an initial authorization check within one of transaction systems 110 .
  • the method of FIG. 5 is used as an initial authorization check within, for example, computer systems controlling customer accounts (e.g., telecommunication accounts and credit card accounts), computer systems controlling employee access to physical facilities and computer systems controlling organization accounting.
  • the multidimensional transaction anomaly detection method of FIG. 5 begins with receipt of an indication of a user initiated transaction at step 510 .
  • an indication of a user initiated transaction is generated automatically by one of transaction systems 110 when a user initiated transaction is started.
  • the indication is used to indicate an incoming transaction.
  • such a transaction indication is also communicated through network 120 to multidimensional detection system 130 .
  • an authorization check is done at 520 .
  • the authorization check of step 520 comprises an authorization and/or authentication check by the transaction system 110 within which the transaction was requested.
  • the authorization check comprises one or more checks to determine, for example, if the user requesting the transaction is authorized to use the transaction system 110 or if the amount of the transaction exceeds any system or user-specific limits.
  • the user authentication may comprise a userID/password check. It will be apparent to those skilled in the art that various forms of authorization checks may be employed.
  • a transaction record is generated and stored for authorized transactions at step 540 .
  • a transaction record is generated and stored for the transaction.
  • the transaction record is generated by transaction engine 210 , stored in transaction log 220 and comprises data sufficient to identify the transaction and the user.
  • the transaction record comprises, for example, the following information: user identification; time of the transaction; date of the transaction; description of the transaction; size or value of the transaction; and, changes made by the transaction. It will be apparent to those having skill in the art that other data elements may be included in the transaction record.
  • FIGS. 6A and 6B are flow charts of exemplary processes for recording and combining information for transactions and for detecting potential fraud. More particularly, FIG. 6A depicts the steps of a preferred process for collecting and normalizing transaction records. FIG. 6B depicts the steps of a preferred process for detecting potential fraud.
  • FIG. 6A depicts a process for collecting and normalizing transaction records used in conjunction with a multidimensional anomaly detection method according to one embodiment of the present invention.
  • the method for collecting and normalizing transaction records comprises obtaining transaction records (step 610 ), normalizing transaction records (step 620 ) and storing normalized transaction records (step 630 ).
  • transaction records are obtained.
  • transaction records are generated by transaction systems 110 and automatically communicated through network 120 to multidimensional detection system 130 . More particularly, transaction records are generated and stored in transaction systems 110 , communicated through network 120 to multidimensional detection system 130 where they are stored within collection storage 310 .
  • Transaction data from a diverse range of business applications is combined together and used to detect potential anomalies in transactions.
  • business applications capture certain transaction data for audit purposes, the data captured by different applications/systems may have different formats. Therefore, transaction records received are normalized to a consistent format if necessary (step 620 ).
  • data manipulation system 320 normalizes transaction data.
  • user identity data is normalized to a consistent format.
  • user identity is normalized to a nine-digit identification number, e.g., social security number.
  • user identity is normalized to a consistent name format, e.g., last name, first name, middle initial. It will be apparent to those having skill in the art, that various normalizing techniques may be used to generate data having a consistent format.
  • normalized transaction records are stored.
  • normalized transaction data is stored within a database and is used to develop rules, patterns and user profiles for anomaly detection.
  • normalized transaction data is stored within collection database 315 . It will be apparent to those having ordinary skill in the art that other storage options are possible.
  • the normalized transaction data is used to develop rules, patterns and user profiles that can be used to detect anomalies.
  • a rule may be determined based upon the transaction times associated with a particular business application. More particularly, it may be determined from the normalized transaction records that a particular business application is used most heavily at certain times (e.g., Monday through Friday from 9:00 am to 5:00 pm). In such a case, a rule may be defined that “flags” transactions outside of the time range as potentially fraudulent. This type of rule may, of course, also take into account normal operating hours associated with the business system.
  • the normalized transaction data may be used to define a rule regarding usage of all business systems by a particular user.
  • all transactions on all systems from a particular user may be examined to develop a rule that the particular user requests and completes all transactions, regardless of business application, within the hours of 3:00 pm to 1:00 am on Tuesdays through Saturday. Thus, transactions from that user outside that time range may be flagged as potentially fraudulent.
  • the normalized transaction data may also be used to determine patterns. For example, all transactions below a particular threshold from one or more users may be used to develop a pattern to detect salami attacks. More particularly, the normalized data may be used to determine that nearly all transactions within a particular business application exceed a particular threshold. As such, a pattern of a repeated number of transactions below the threshold amount may provide an indication of a salami attack.
  • the normalized data, patterns and rules may be used to develop user profiles.
  • the user profiles may be used to detect potentially fraudulent transactions.
  • a user profile is generated by sorting all transaction data generated by a particular user and determining characteristics particular to the user from the transaction data.
  • the normalized data, rules and patterns may indicate that a user typically works on accounts in one particular geographic area, between the hours of 8:00 am to 5:00 pm weekdays and enters and leaves the work facilities four times each day. This data indicates a profile for the user such that transactions requested outside of the profile are potentially fraudulent.
  • the rules, patterns and profiles developed are stored in rules database 316 . It will be apparent to those having skill in the art that a wide variety of rules, patterns and profiles may be defined consistent with the teachings of the present invention.
  • FIG. 6B depicts a process for detecting potential fraud consistent with one embodiment of the present invention.
  • the method for detecting comprises selecting a transaction record at step 640 , applying defined rules to the selected transaction record at step 650 and outputting a result of the rules application at step 660 .
  • a transaction record is selected for examination.
  • every incoming normalized transaction record is selected for examination at step 640 .
  • transaction records are sampled at a frequency sufficient to detect most fraudulent transactions. In such a case, it may be determined that examining every transaction is unnecessarily burdensome.
  • all transactions from a particular individual are selected at step 640 . It will be apparent to those having skill in the art that other methods of selecting a transaction are within the spirit and scope of the present invention.
  • the rules are applied to the selected transaction record to determine potentially fraudulent transactions at step 650 .
  • all available rules are applied to the selected transaction record at step 650 .
  • when there exists a particular fraud threat for example, dictated by recent transaction history, only rules particular to detecting that threat are applied at step 650 .
  • Other rule application methods are appropriate and within the scope of the present invention.
  • the rules are applied using a scoring methodology.
  • a scoring methodology For example, when a rule is applied, conventional pattern matching methodology may be employed to develop a score. The score may represent, for example, a percent confidence that the rule has been violated. Additionally, a threshold may be applied such that all percentages exceeding the threshold are considered the result of an anomalous transaction.
  • scoring methodologies are well known and various scoring methodologies could be employed.
  • a result of the rule application is output.
  • the result comprises an indication of a potential fraud displayed on a monitor of a system administrator. Such an output allows a system administrator to further examine the potentially fraudulent transaction immediately so that ongoing fraud may be prevented. The system administrator may also examine other relevant transactions (e.g., other transactions from the same user or other transaction from the same business system) for fraud.
  • the result comprises an indication of potential fraud that is sent via email to a system administrator. It will be apparent to those having skill in the art that various methods of display may be used by themselves or in combination.
  • the present invention may also be implemented using computer processor readable media that include program instruction or program code for performing various computer-implemented operations based on the methods and processes consistent with the invention.
  • the program instructions may be those specially designed and constructed for the purposes of the invention, or they may be of the kind well-known and available to those having skill in the computer software arts. Examples of program instructions include for example machine code, such as produced by a compiler, and files containing a high level code that can be executed by the computer using an interpreter.

Abstract

A system and method for detecting transaction anomalies and information reflecting potential fraudulent activities is disclosed. Data is collected from transactions carried out in a number of business applications such as computer systems, telecommunication systems and security systems. This transaction data is normalized to generate transaction data having consistent format for analysis and/or comparison. User profiles are generated by sorting the normalized data by user and identifying particular user characteristics from the sorted data. Each user profile therefore reflects the behavior of the user as it relates to the business applications. The user profiles and/or predetermined rules are then used to detect anomalies in incoming transactions.

Description

BACKGROUND INFORMATION
Detection of anomalies in data is a core technology with broad applications: detection of cardiac arrhythmias in ECG data, discovering semiconductor defects from plasma-etch data, detecting network faults from traffic data, ascertaining user interface design defects from user data, etc. Over the last dozen years, another application has emerged: detection of unauthorized or malicious users on computer hosts and networks, often called intrusion detection.
Intrusion detection systems are usually based on logical or physical attacks on a network infrastructure. However, business transactions are also a source of intrusions, and these intrusions generally go unnoticed because of the lack of security features built into systems that support business transactions.
For example, computer applications are created having several layers with each layer including detective, preventive, and corrective controls. At the business transaction layer, the detective controls are usually limited to known business rules used for supervisory type reports. The prioritization and volume of these reports along with the high error rate associated with human review results in so-called “authorized fraud.” Significant fraud, whether a “salami attack” (i.e., a series of small computer crimes—slices of a larger crime—that are difficult to detect and trace) or high dollar fraud, thus goes undetected until possible financial audits.
BRIEF DESCRIPTION OF THE DRAWINGS
The accompanying drawings are incorporated in and constitute a part of this specification.
FIG. 1 is a block diagram of an environment in which methods and systems consistent with the present invention may be implemented;
FIG. 2 is a block diagram illustrating components of an implementation of a transaction system consistent with certain aspects of the present invention;
FIG. 3 is a block diagram illustrating components of an implementation of a multidimensional detection system consistent with certain aspects of the present invention;
FIG. 4 is an anomaly detection display consistent with certain aspects of the present invention;
FIG. 5 is a flow chart used to explain the steps of an exemplary process for initially handling transactions; and
FIGS. 6A and 6B are flow charts used to explain the steps of exemplary processes for recording and combining information for transactions and for detecting potential fraud.
 DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
Methods, systems and articles of manufacture consistent with features and principles of the present invention facilitate the detection of potential fraud in transactions by combining anomaly detection, rule violation and pattern matching operations. A collection of application transactions resulting from using one or more systems determines business patterns or behavior of a user. These patterns are used to detect anomalies in the user's behavior, are compared to business rules for violations, and are compared to historical transaction patterns of the user or other users. When the information derived from these detection and comparison operations indicates potential fraud, a system monitor (for example, a person or another system) is alerted to the potential fraud.
Many applications have transaction trails, audit trails, and/or logs used to store information associated with transactions. In one preferred implementation consistent with the present invention, a system may use at least a portion of this information to form a data store for information on user behavior. The data store may store information particular to the behavior of individual users and/or information generally applicable to a set of users. The data store may be used to form (and include) rules for determining validity or appropriateness of user behavior (for example, certain transactions under specific conditions may be considered invalid). Alternatively, or additionally, these rules may be predetermined by a system operator.
The data store may be accessed when or nearly when a new transaction is detected by the system. Information indicative of this new transaction may be compared to the information in the data store to determine whether the new transaction is considered to be unusual for the particular user, i.e., an anomaly. If so, that information alone or in combination with information derived from additional transactions involving the same or a different user may initiate a trigger to alert a system monitor of a potential fraud.
Reference will now be made in detail to certain preferred exemplary embodiments implemented according to the invention, examples of which are illustrated in the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or like parts.
FIG. 1 is a block diagram of an environment in which methods and systems consistent with the present invention may be implemented. The environment includes a plurality of transaction systems 110, network 120, and multidimensional detection system 130.
Transaction systems 110 include systems used to initiate and/or complete and record various transactions. According to one embodiment, transaction systems 110 include various business related transaction systems such as computer systems controlling customer accounts (e.g., telecommunication accounts and credit card accounts), computer systems controlling employee access to physical facilities (e.g., entry key systems, provisioning systems, and telephone systems) and computer systems controlling organization accounting (e.g., billing systems). Communication between transaction systems 110 and network 120 may utilize a wired connection, a wireless connection, or a combination of a wired and wireless connection. Those skilled in the art will appreciate various connections by themselves or in combinations may be used.
Network 120 generally provides an infrastructure for devices and systems to communicate data, voice, or a combination of data and voice. Such an infrastructure may support TCP/IP protocols as well as other known protocols for handling transmission of voice and/or data in a network. An existing infrastructure such as a Local Area Network (LAN), Wide Area Network (WAN), Public Switch Telephone Network (PSTN), or the Internet, may be used, in whole or in part, to form network 120.
Multidimensional detection system 130 facilitates the detection of potential fraud in transactions from the plurality of transaction systems 110 by combining anomaly detection, rule violation and pattern matching operations. According to one embodiment, a collection of transactions resulting from using one or more of transaction systems 110 determines business patterns or behavior of a user. These patterns are used to detect anomalies in the user's behavior, are compared to business rules for violations, and are compared to historical transaction patterns of the user or other users. When the information derived from these detection and comparison operations indicates potential fraud, multidimensional detection system 130 provides a potential fraud alert to a system monitor (for example a person or another system). Communication between multidimensional detection system 130 and network 120 may utilize a wired connection, a wireless connection, or a combination of a wired and wireless connection. Those skilled in the art will appreciate various connections by themselves or in combinations may be used.
FIG. 2 is block diagram illustrating components of an exemplary transaction system 110. Transaction system 110 includes transaction engine 210 and transaction log 220. These components are explained in more detail below.
Transaction engine 210 initiates and/or completes various transactions. In one embodiment, transaction engine 210 comprises a computer system configured to perform certain transactions under control of a user. Transaction engine 210 may include software, hardware, processing systems, memory, support systems, and any other elements that enable transaction engine 210 to perform transactions. One skilled in the art would realize that transaction engines 210 may include various configurations as required to perform certain transactions. For example, transaction engine 210 may include a billing system that enables a user to credit and debit customer accounts and generate customer bills. Transaction engine 210 may include a customer service computer system that enables a user to control service levels for individual customers (e.g., telephone service, cable television service, internet access). Transaction engine 210 may include a badge access system that enables a user to “badge in” and “badge out” of secure facilities. Transaction engine 210 may include a provisioning system that enables a user to grant and deny access to various enterprise level computers systems and other resources. Transaction engine 210 may include a network access system that enables a user to access certain network content as necessary. As will be apparent to one having skill in the art, the various transaction engines discussed are exemplary. Transaction engine 210 may include any computer system configured to perform transactions.
Transaction logs 220 provide a means or mechanism to collect data from business applications of interest. Transaction log 220 comprises, for example, one or more data loggers that record specific data at specific intervals. Transaction log 220 can be implemented using hardware, firmware, software or a combination thereof. According to one embodiment, transaction log 220 comprises software code that logs data and creates an audit trail for the corresponding transaction engine 210. As will be apparent to those having skill in the art, the appropriate implementation for transaction log 220 is based upon, for example, the transaction system 110 being monitored, the particular data of interest and the environment within which the monitoring is occurring.
According to one embodiment, transaction log 220 logs data regarding transactions of interest on respective transaction engine 210. For example, transaction log 220 may log the following data from transactions occurring on transaction engine 220: system user identification, PC IP address from which a transaction is completed, transaction description, transaction level (for example, a dollar amount), data fields modified by the transaction, identification of any device modified, transaction timing (input of data and output of any result). According to one embodiment, transaction logs 220 are employed to gather data from transaction engines including, without limitation, computer systems controlling customer accounts (e.g., telecommunication accounts and credit card accounts), computer systems controlling employee access to physical facilities (e.g., entry key systems, provisioning systems, and telephone systems) and computer systems controlling organization accounting (e.g., billing systems).
Transaction log 220 may be deployed to collect transaction data from a diverse array of business systems consistent with the teachings of the present invention. The data is then manipulated and used to detect anomalies and potential fraud by multidimensional detection system 130. Some exemplary deployments for transaction log 220 will help to illustrate. Transaction log 220 may be used to collect transaction data from a customer account management system. In such a deployment, transaction log 220 may collect data about transactions that change customer account parameters (for example, user ID, transaction amount, time of transaction, etc.). Transaction log 220 may be used to collect transaction data from a telephone system. In such a deployment, transaction log 220 may collect data about telephone calls made from an individual's telephone (for example, dialed numbers, duration of calls, time of calls, etc.). Transaction log 220 may be used to collect transaction data from facility security systems. In such a deployment, transaction log 220 may collect data relating to a user's building access (for example, user ID, time of building entry, time of building exit, doorways used, etc.). Transaction log 220 may be used to collect transaction data from enterprise computer networks. In such a deployment, transaction log 220 may collect data about an individual's computer network usage (for example, log-in time, log-out time, Internet accesses, etc.). It will be apparent to those having skill in the art that a vast array of deployments are possible and within the scope of the present invention.
FIG. 3 is block diagram illustrating components of an implementation of multidimensional detection system 130. Multidimensional detection system 130 comprises collection storage 310, data manipulation system 320, detection system 330 and monitoring station 340. The various components are explained in more detail below.
Collection storage 310, collection database 315 and rules database 316 together comprise the operational storage for multidimensional detection system 130. More specifically, collection storage 310, collection database 315 and rules database 316 are used to store data received from transaction logs 220, manipulated data derived from data received from transaction logs 220, and data used to evaluate data (e.g., patterns, rules, profiles etc.) received from transaction logs 220. The data received from transaction logs 220 is evaluated using anomaly detection, rule violation and pattern matching operations. A collection of application transaction data derived from transaction logs 220 and resulting from transactions taking place within transaction engines 210, determines business patterns or behavior of a user. These patterns are used to detect anomalies in the user's behavior, are compared to business rules for violations, and are compared to historical transaction patterns of the user or other users. According to one embodiment, this data is stored in collection database 315 and rules database 316 within collection storage 310.
In some embodiments according to the present invention, collection storage 310 comprises any commercially available mass storage medium. In a preferred embodiment, collection storage 310 comprises a hard disk drive with storage capacity suitable for storing operational data used to implement methods and systems consistent with the present invention. According to another embodiment, collection storage 310 comprises an optical disk drive with storage capacity suitable for storing operational data used to implement methods and systems consistent with the present invention. It will be apparent to those having skill in the art that other storage mediums may be used to implement collection storage 310.
In a preferred embodiment, collection database 315 and rules database 316 comprise any commercially available program suitable for organizing and providing access to operational data stored within collection storage 310. According to one embodiment, collection database 315 and rules database 316 comprise any commercially available relational database. It will be apparent to those having skill in the art that other databases (e.g., network, flat, and hierarchical databases) that provide suitably fast and flexible data access may be used to implement collection database 315 and rules database 316.
Data manipulation system 320 provides a means or mechanism to manipulate data formats. Data manipulation system 320 may include software, hardware, processing systems, memory, support systems, and any other elements that enable data manipulation system 320 to manipulate data. One skilled in the art would realize that data manipulation system 320 may include various configurations depending upon the data sources and the manipulation desired.
In one embodiment, data manipulation system 320 comprises a computer system configured to normalize data received from transaction logs 220. As an example of transaction data normalizing, consider that different business applications may record a user's identity in various ways. In order to aggregate user identity data, data manipulation system 320 normalizes the data to a consistent format. For example, data manipulation system 320 may normalize user identity data to a nine-digit identification number, e.g., social security number. Alternatively, data manipulation system 320 may normalize user identity to a consistent name format, e.g., last name, first name, middle initial. It will be apparent to those having skill in the art, that various normalizing techniques may be used to generate data having a consistent format.
Detection system 330 provides a means or mechanism to develop and apply patterns, rules, and user profiles from manipulated transaction data in order to detect anomalies. Detection system 330 may include software, hardware, processing systems, memory, support systems, and any other elements that enable detection system 330 to detect anomalies. One skilled in the art would realize that detection system 330 may include various configurations depending upon the data sources and the manipulation desired.
According to one embodiment, detection system 330 develops rules, patterns and user profiles that can be used to detect anomalies. For example, detection system 330 may determine a rule based upon the transaction times associated with a particular business application. More particularly, detection system 330 may determine from the normalized transaction records that a particular business application is used most heavily at certain times (e.g., Monday through Friday from 9:00 am to 5:00 pm). In such a case, detection system 330 may define a rule that “flags” transactions outside of the time range as potentially fraudulent. This type of rule may, of course, also take into account normal operating hours associated with the business system. According to another example, detection system may define a rule regarding usage of all business systems by a particular user. More specifically, detection system 330 may examine all transactions on all systems from a particular user to develop a rule that the particular user requests and completes all transactions, regardless of business application, within the hours of 3:00 pm to 1:00 am on Tuesdays through Saturday. Thus, detection system may flag future transactions from that user outside that time range as potentially fraudulent.
Detection system 330 may also determine patterns from normalized transaction data. For example, detection system 330 may develop a pattern to detect salami attacks by reviewing all transactions below a particular threshold from one or more users. More particularly, based on the normalized data, detection system 330 may determine that nearly all transactions within a particular business application exceed a particular threshold. As such, a pattern of a repeated number of transactions below the threshold amount may provide an indication of a salami attack.
Detection system 330 may also develop user profiles from the normalized transaction data. Detection system 330 may then use the user profiles to detect potentially fraudulent transactions. According to one embodiment, detection system 330 generates a user profile by sorting all transaction data generated by a particular user and determining characteristics particular to the user from the transaction data. For example, the normalized data, rules and patterns may indicate that a user typically works at a particular location (i.e., work location), using particular business applications, on accounts in a particular geographic area (i.e., transaction location), on transactions of a particular size or value (i.e., transaction size), between the hours of 8:00 am to 5:00 pm weekdays (working hours) and enters and leaves the work facilities four times each day. This data indicates a profile for the user such that transactions requested outside of the parameters of the profile (i.e., different timing, different work location, different account location) are potentially fraudulent. It will be apparent to those having skill in the art that detection system 330 may define a wide variety of rules, patterns and profiles.
Monitoring station 340 provides a monitoring station for potential fraud. Monitoring station 340 may include a personal computer, work station or any other suitable computing device. According to one embodiment, monitoring station 340 is configured to receive and display to a system monitor (e.g., a person) warning messages about potentially fraudulent transactions from detection system 330. The warning message may comprise, for example, an identification of the user, the type of transaction, the time of the transaction and the nature of the potential fraud. According to another embodiment, monitoring station 340 comprises an automated access control system that is configured to receive warning messages about potentially fraudulent transactions and restrict access to the appropriate user or users in response to the warning messages. It will be apparent to one having ordinary skill in the art that various warning messages and potential responses are possible.
FIG. 4 is an exemplary display 400 for monitoring station 340. Display 400 comprises a number of warning messages 410-430. According to one embodiment, the warning messages 410-430 are organized by user. In FIG. 4, the warning messages comprise a user identification, a list of anomalies detected and a list of potential anomalies detected. It will be apparent to one having ordinary skill in the art that various configurations are possible for monitoring station 340 and the warning messages displayed thereon.
The preferred embodiments according to the present invention utilize transaction data to develop patterns, rules and profiles for particular users. These patterns, rules and user profiles are then used to detect anomalies and therefore potential fraud in transactions. FIG. 5 is a flow chart used to explain the steps of an exemplary process for initially handling and collecting transaction data. As shown in FIG. 5, the process for handling transactions begins with receiving an indication of a user initiated transaction at step 510. Once an indication of a transaction is received, an authorization check is done at step 520. If the authorization check indicates that the transaction is unauthorized, the method provides an indication of failure at step 530. If the transaction is authorized, a record of the transaction is generated and stored at step 540. According to one embodiment, the method of FIG. 5 comprises an initial authorization check within one of transaction systems 110. For example, the method of FIG. 5 is used as an initial authorization check within, for example, computer systems controlling customer accounts (e.g., telecommunication accounts and credit card accounts), computer systems controlling employee access to physical facilities and computer systems controlling organization accounting.
The multidimensional transaction anomaly detection method of FIG. 5 begins with receipt of an indication of a user initiated transaction at step 510. According to one embodiment, an indication of a user initiated transaction is generated automatically by one of transaction systems 110 when a user initiated transaction is started. The indication is used to indicate an incoming transaction. According to another embodiment, such a transaction indication is also communicated through network 120 to multidimensional detection system 130.
Once an indication of a user initiated transaction is received, an authorization check is done at 520. According to one embodiment, the authorization check of step 520 comprises an authorization and/or authentication check by the transaction system 110 within which the transaction was requested. According to another embodiment, the authorization check comprises one or more checks to determine, for example, if the user requesting the transaction is authorized to use the transaction system 110 or if the amount of the transaction exceeds any system or user-specific limits. For example, the user authentication may comprise a userID/password check. It will be apparent to those skilled in the art that various forms of authorization checks may be employed.
A transaction record is generated and stored for authorized transactions at step 540. When it is determined that a transaction is authorized, a transaction record is generated and stored for the transaction. According to one embodiment, the transaction record is generated by transaction engine 210, stored in transaction log 220 and comprises data sufficient to identify the transaction and the user. According to another embodiment, the transaction record comprises, for example, the following information: user identification; time of the transaction; date of the transaction; description of the transaction; size or value of the transaction; and, changes made by the transaction. It will be apparent to those having skill in the art that other data elements may be included in the transaction record.
FIGS. 6A and 6B are flow charts of exemplary processes for recording and combining information for transactions and for detecting potential fraud. More particularly, FIG. 6A depicts the steps of a preferred process for collecting and normalizing transaction records. FIG. 6B depicts the steps of a preferred process for detecting potential fraud.
FIG. 6A depicts a process for collecting and normalizing transaction records used in conjunction with a multidimensional anomaly detection method according to one embodiment of the present invention. According to FIG. 6A, the method for collecting and normalizing transaction records comprises obtaining transaction records (step 610), normalizing transaction records (step 620) and storing normalized transaction records (step 630).
In step 610, transaction records are obtained. According to one embodiment, transaction records are generated by transaction systems 110 and automatically communicated through network 120 to multidimensional detection system 130. More particularly, transaction records are generated and stored in transaction systems 110, communicated through network 120 to multidimensional detection system 130 where they are stored within collection storage 310.
Transaction data from a diverse range of business applications is combined together and used to detect potential anomalies in transactions. Although business applications capture certain transaction data for audit purposes, the data captured by different applications/systems may have different formats. Therefore, transaction records received are normalized to a consistent format if necessary (step 620). Referring to the system of FIGS. 1-3, according to one embodiment, data manipulation system 320 normalizes transaction data.
As an example of transaction data normalizing, consider that different business applications may record a user's identity in various ways. In step 620, therefore, user identity data is normalized to a consistent format. According to one embodiment, user identity is normalized to a nine-digit identification number, e.g., social security number. According to another embodiment, user identity is normalized to a consistent name format, e.g., last name, first name, middle initial. It will be apparent to those having skill in the art, that various normalizing techniques may be used to generate data having a consistent format.
At step 630, normalized transaction records are stored. According to one embodiment, normalized transaction data is stored within a database and is used to develop rules, patterns and user profiles for anomaly detection. With reference to the system of FIGS. 1-3, and according to one embodiment, normalized transaction data is stored within collection database 315. It will be apparent to those having ordinary skill in the art that other storage options are possible.
According to one embodiment of the present invention, the normalized transaction data is used to develop rules, patterns and user profiles that can be used to detect anomalies. For example, a rule may be determined based upon the transaction times associated with a particular business application. More particularly, it may be determined from the normalized transaction records that a particular business application is used most heavily at certain times (e.g., Monday through Friday from 9:00 am to 5:00 pm). In such a case, a rule may be defined that “flags” transactions outside of the time range as potentially fraudulent. This type of rule may, of course, also take into account normal operating hours associated with the business system. According to another example, the normalized transaction data may be used to define a rule regarding usage of all business systems by a particular user. More specifically, all transactions on all systems from a particular user may be examined to develop a rule that the particular user requests and completes all transactions, regardless of business application, within the hours of 3:00 pm to 1:00 am on Tuesdays through Saturday. Thus, transactions from that user outside that time range may be flagged as potentially fraudulent.
The normalized transaction data may also be used to determine patterns. For example, all transactions below a particular threshold from one or more users may be used to develop a pattern to detect salami attacks. More particularly, the normalized data may be used to determine that nearly all transactions within a particular business application exceed a particular threshold. As such, a pattern of a repeated number of transactions below the threshold amount may provide an indication of a salami attack.
According to one embodiment, the normalized data, patterns and rules may be used to develop user profiles. The user profiles may be used to detect potentially fraudulent transactions. According to one embodiment, a user profile is generated by sorting all transaction data generated by a particular user and determining characteristics particular to the user from the transaction data. For example, the normalized data, rules and patterns may indicate that a user typically works on accounts in one particular geographic area, between the hours of 8:00 am to 5:00 pm weekdays and enters and leaves the work facilities four times each day. This data indicates a profile for the user such that transactions requested outside of the profile are potentially fraudulent. According to one embodiment, the rules, patterns and profiles developed are stored in rules database 316. It will be apparent to those having skill in the art that a wide variety of rules, patterns and profiles may be defined consistent with the teachings of the present invention.
FIG. 6B depicts a process for detecting potential fraud consistent with one embodiment of the present invention. As shown, the method for detecting comprises selecting a transaction record at step 640, applying defined rules to the selected transaction record at step 650 and outputting a result of the rules application at step 660.
At step 640, a transaction record is selected for examination. According to one embodiment, every incoming normalized transaction record is selected for examination at step 640. According to an alternative embodiment, transaction records are sampled at a frequency sufficient to detect most fraudulent transactions. In such a case, it may be determined that examining every transaction is unnecessarily burdensome. In yet another embodiment, all transactions from a particular individual are selected at step 640. It will be apparent to those having skill in the art that other methods of selecting a transaction are within the spirit and scope of the present invention.
The rules are applied to the selected transaction record to determine potentially fraudulent transactions at step 650. According to one embodiment, all available rules are applied to the selected transaction record at step 650. According to another embodiment, when there exists a particular fraud threat (for example, dictated by recent transaction history), only rules particular to detecting that threat are applied at step 650. Other rule application methods are appropriate and within the scope of the present invention.
According to one embodiment, the rules are applied using a scoring methodology. For example, when a rule is applied, conventional pattern matching methodology may be employed to develop a score. The score may represent, for example, a percent confidence that the rule has been violated. Additionally, a threshold may be applied such that all percentages exceeding the threshold are considered the result of an anomalous transaction. As will be apparent to one having skill in the art, scoring methodologies are well known and various scoring methodologies could be employed.
At step 660, a result of the rule application is output. According to one embodiment, the result comprises an indication of a potential fraud displayed on a monitor of a system administrator. Such an output allows a system administrator to further examine the potentially fraudulent transaction immediately so that ongoing fraud may be prevented. The system administrator may also examine other relevant transactions (e.g., other transactions from the same user or other transaction from the same business system) for fraud. According to another embodiment, the result comprises an indication of potential fraud that is sent via email to a system administrator. It will be apparent to those having skill in the art that various methods of display may be used by themselves or in combination.
The above-noted features and other aspects and principles of the preferred embodiment according to the present invention may be implemented in various environments. Such environments and related applications may be specially constructed for performing the various processes and operations described herein or they may include a general purpose computer or computing platform selectively activated or reconfigured by program code to provide the necessary functionality. The processes disclosed herein are not inherently related to any particular computer or other apparatus, and may be implemented by a suitable combination of hardware, software, and/or firmware. For example, various general purpose machines may be used with programs written in accordance with teachings of the invention, or it may be more convenient to construct a specialized apparatus or system to perform the required methods and techniques.
The present invention may also be implemented using computer processor readable media that include program instruction or program code for performing various computer-implemented operations based on the methods and processes consistent with the invention. The program instructions may be those specially designed and constructed for the purposes of the invention, or they may be of the kind well-known and available to those having skill in the computer software arts. Examples of program instructions include for example machine code, such as produced by a compiler, and files containing a high level code that can be executed by the computer using an interpreter.
Variations of the methods and systems consistent with features of the present invention may be implemented without departing from the scope of the invention. Accordingly, the invention is not limited to the above described embodiments, but instead is defined by the appended claims in light of their full scope of equivalents.

Claims (19)

1. A fraud detection method performed by a computer having a processor, comprising:
collecting, by the processor, a plurality of transaction records containing transaction information about transactions performed by an individual across different business applications, the transaction information having different formats;
normalizing, by the processor, the transaction information to a consistent format;
determining, by the processor and based on the normalized transaction information, a transaction rule defining a characteristic of a typical transaction by the individual general to all the business applications;
generating, by the processor and based on the normalized transaction information, a user profile for the individual, the user profile including the transaction rule;
receiving, by the processor, information about new transactions associated with the individual in the different business applications;
determining, by the processor and based on the new transaction information, characteristics of the new transactions;
comparing, by the processor, the characteristics of the new transactions to the transaction rule;
determining, by the processor and based on the comparison, whether the new transactions constitute an anomaly for the individual; and
sending an alert based on a result of the determination.
2. The method of claim 1, wherein sending the alert comprises sending an indication of potentially fraudulent activity.
3. The method of claim 2, further comprising when an anomaly is determined, sending a signal to a device to provide notice of the anomaly.
4. The method of claim 1, wherein sending the alert comprises transmitting a signal to a device when it is determined that a value associated with the anomaly is equal to or greater than a threshold value.
5. The method of claim 1, wherein the profile includes information developed over a period of time from the different business applications and reflecting past behavior of the individual.
6. A method performed by a computer having a processor, the method comprising:
collecting, by the processor, a plurality of transaction records containing transaction data for transactions performed by an individual across different business applications, the transaction data having different formats;
normalizing, by the processor, the transaction data to a consistent format;
determining, by the processor and based on the normalized transaction data, a transaction rule defining a characteristic of a typical transaction by the individual general to all the business applications;
generating, by the processor and based on the normalized transaction data, a user profile including the transaction rule;
receiving, by the processor, data about new transactions associated with the individual in the different business applications;
determining, by the processor and based on the new transaction data, characteristics of the new transactions;
comparing, by the processor, the characteristics of the new transactions to the transaction rule;
detecting, by the processor, whether the new transactions constitute an anomaly based on the comparison; and
sending, by the processor, an alert when an anomaly is detected.
7. The method of claim 6, wherein the transaction data comprises information identifying a user of a business application for a transaction.
8. The method of claim 6, wherein the transaction data comprises information concerning a time of a transaction.
9. The method of claim 6, wherein the transaction data comprises information concerning a size of a transaction.
10. The method of claim 6, wherein the transaction data comprises information concerning a location of a user of business application for a transaction.
11. The method of claim 6, wherein the transaction data comprises information concerning a location related to a transaction.
12. The method of claim 6, wherein the characteristic of a typical transaction by the individual comprises one or more of:
a typical transaction timing for the individual;
a typical transaction size for the individual;
most commonly used business applications of the individual;
typical working hours for the individual;
a typical work location for the individual; and
a typical transaction location for the individual.
13. The method of claim 12, wherein the characteristic of a typical transaction by the individual provide an indication of the individual's behavior.
14. The method of claim 6, wherein detecting an anomaly comprises:
comparing the characteristics of the new transactions with the user profile; and
identifying a transaction anomaly associated with the individual based on the comparison.
15. A system comprising:
a database storing a plurality of transaction records containing transaction data for transactions performed by an individual across a plurality of different business applications, the transaction data having different formats; and
a processor configured to:
receive the transaction records from the database;
normalize the transaction data to a consistent format;
determine, based on the normalized transaction data, a transaction rule defining a characteristic of a typical transaction by the individual general to all the business applications;
generate, based on the normalized transaction data, a user profile including the transaction rule;
receive data about new transactions associated with the individual in the different business applications;
determine, based on the new transaction data, characteristics of the new transactions;
compare the characteristics of the new transactions to the transaction rule;
detect whether the new transactions constitute an anomaly for the individual based on the comparison; and
provide an alert when an anomaly is detected.
16. The system of claim 15, wherein the transaction information includes information identifying a user of a business application for a transaction and information concerning a time of the transaction.
17. The system of claim 15, wherein the characteristic of a typical transaction by the individual comprises one or more of:
a typical transaction timing for the individual;
a typical transaction size for the individual;
most commonly used business applications of the individual;
typical working hours for the individual;
a typical work location for the individual; and
a typical transaction location for the individual.
18. The system of claim 15, wherein the characteristic of a typical transaction by the individual provides an indication of the individual's behavior.
19. The system of claim 15, wherein the processor is further configured to:
compare the characteristics of the new transactions with the user profile; and
identify a transaction anomaly associated with the individual based on the results of the comparison.
US11/319,608 2005-12-29 2005-12-29 Multidimensional transaction fraud detection system and method Active 2026-09-18 US7815106B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11/319,608 US7815106B1 (en) 2005-12-29 2005-12-29 Multidimensional transaction fraud detection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11/319,608 US7815106B1 (en) 2005-12-29 2005-12-29 Multidimensional transaction fraud detection system and method

Publications (1)

Publication Number Publication Date
US7815106B1 true US7815106B1 (en) 2010-10-19

Family

ID=42941141

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/319,608 Active 2026-09-18 US7815106B1 (en) 2005-12-29 2005-12-29 Multidimensional transaction fraud detection system and method

Country Status (1)

Country Link
US (1) US7815106B1 (en)

Cited By (42)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080162202A1 (en) * 2006-12-29 2008-07-03 Richendra Khanna Detecting inappropriate activity by analysis of user interactions
US20090044268A1 (en) * 2007-08-09 2009-02-12 Kobil Systems Gmbh Installation-free chip card reader for secure online banking
US20100005013A1 (en) * 2008-07-03 2010-01-07 Retail Decisions, Inc. Methods and systems for detecting fraudulent transactions in a customer-not-present environment
US20100036771A1 (en) * 2008-08-11 2010-02-11 Laru Corporation System, method an computer program product for processing automated clearing house (ACH) historical data
US20100174660A1 (en) * 2007-12-05 2010-07-08 Bce Inc. Methods and computer-readable media for facilitating forensic investigations of online transactions
US20130133066A1 (en) * 2011-11-22 2013-05-23 Computer Associates Think, Inc Transaction-based intrusion detection
US20130133024A1 (en) * 2011-11-22 2013-05-23 Microsoft Corporation Auto-Approval of Recovery Actions Based on an Extensible Set of Conditions and Policies
US20130291099A1 (en) * 2012-04-25 2013-10-31 Verizon Patent And Licensing, Inc. Notification services with anomaly detection
US20140115002A1 (en) * 2012-10-23 2014-04-24 Liebherr-Werk Nenzing Gmbh Method for monitoring a number of machines and monitoring system
US20150096034A1 (en) * 2013-09-30 2015-04-02 Hewlett-Packard Development Company, L.P. Determine Anomalies in Web Application Code Based on Authorization Checks
US9105009B2 (en) 2011-03-21 2015-08-11 Microsoft Technology Licensing, Llc Email-based automated recovery action in a hosted environment
US20160140562A1 (en) * 2014-11-13 2016-05-19 Mastercard International Incorporated Systems and methods for detecting transaction card fraud based on geographic patterns of purchases
US9460303B2 (en) 2012-03-06 2016-10-04 Microsoft Technology Licensing, Llc Operating large scale systems and cloud services with zero-standing elevated permissions
US9646155B2 (en) 2011-09-09 2017-05-09 Hewlett Packard Enterprise Development Lp Systems and methods for evaluation of events based on a reference baseline according to temporal position in a sequence of events
US9762585B2 (en) 2015-03-19 2017-09-12 Microsoft Technology Licensing, Llc Tenant lockbox
WO2017189114A1 (en) * 2016-04-27 2017-11-02 Intuit Inc. Detection of aggregation failures from correlation of change point across independent feeds
US9910882B2 (en) 2014-12-19 2018-03-06 International Business Machines Corporation Isolation anomaly quantification through heuristical pattern detection
US9922071B2 (en) 2014-12-19 2018-03-20 International Business Machines Corporation Isolation anomaly quantification through heuristical pattern detection
US10102530B2 (en) * 2012-10-30 2018-10-16 Fair Isaac Corporation Card fraud detection utilizing real-time identification of merchant test sites
WO2019027684A1 (en) * 2017-07-31 2019-02-07 Cisco Technology, Inc. Application-aware intrusion detection system
US10229100B1 (en) 2016-04-22 2019-03-12 Intuit Inc. Augmented reality form fill
US20190110240A1 (en) * 2006-03-02 2019-04-11 Tango Networks, Inc. Call flow system and method for use in a legacy telecommunication system
US10387968B2 (en) 2017-01-26 2019-08-20 Intuit Inc. Method to determine account similarity in an online accounting system
US20190272360A1 (en) * 2018-03-01 2019-09-05 Bank Of America Corporation Dynamic hierarchical learning engine matrix
US10460298B1 (en) 2016-07-22 2019-10-29 Intuit Inc. Detecting and correcting account swap in bank feed aggregation system
US10567930B2 (en) 2006-03-02 2020-02-18 Tango Networks, Inc. System and method for enabling call originations using SMS and hotline capabilities
US10726501B1 (en) 2017-04-25 2020-07-28 Intuit Inc. Method to use transaction, account, and company similarity clusters derived from the historic transaction data to match new transactions to accounts
US10897482B2 (en) * 2010-11-29 2021-01-19 Biocatch Ltd. Method, device, and system of back-coloring, forward-coloring, and fraud detection
US10931682B2 (en) 2015-06-30 2021-02-23 Microsoft Technology Licensing, Llc Privileged identity management
US10956986B1 (en) 2017-09-27 2021-03-23 Intuit Inc. System and method for automatic assistance of transaction sorting for use with a transaction management service
US10956075B2 (en) 2018-02-02 2021-03-23 Bank Of America Corporation Blockchain architecture for optimizing system performance and data storage
US11055395B2 (en) 2016-07-08 2021-07-06 Biocatch Ltd. Step-up authentication
US20210329030A1 (en) * 2010-11-29 2021-10-21 Biocatch Ltd. Device, System, and Method of Detecting Vishing Attacks
US11176101B2 (en) 2018-02-05 2021-11-16 Bank Of America Corporation System and method for decentralized regulation and hierarchical control of blockchain architecture
US11210674B2 (en) 2010-11-29 2021-12-28 Biocatch Ltd. Method, device, and system of detecting mule accounts and accounts used for money laundering
US11323451B2 (en) 2015-07-09 2022-05-03 Biocatch Ltd. System, device, and method for detection of proxy server
US11330012B2 (en) 2010-11-29 2022-05-10 Biocatch Ltd. System, method, and device of authenticating a user based on selfie image or selfie video
US20220215091A1 (en) * 2021-01-07 2022-07-07 Intuit Inc. Method and system for detecting coordinated attacks against computing resources using statistical analyses
US11405846B2 (en) 2006-03-02 2022-08-02 Tango Networks, Inc. Call flow system and method for use in a legacy telecommunication system
US11425563B2 (en) 2010-11-29 2022-08-23 Biocatch Ltd. Method, device, and system of differentiating between a cyber-attacker and a legitimate user
US11606353B2 (en) 2021-07-22 2023-03-14 Biocatch Ltd. System, device, and method of generating and utilizing one-time passwords
US11811554B2 (en) 2006-03-02 2023-11-07 Tango Networks, Inc. Mobile application gateway for connecting devices on a cellular network with individual enterprise and data networks

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6094643A (en) * 1996-06-14 2000-07-25 Card Alert Services, Inc. System for detecting counterfeit financial card fraud
US6405318B1 (en) * 1999-03-12 2002-06-11 Psionic Software, Inc. Intrusion detection system
US20020082886A1 (en) * 2000-09-06 2002-06-27 Stefanos Manganaris Method and system for detecting unusual events and application thereof in computer intrusion detection
US20020133721A1 (en) * 2001-03-15 2002-09-19 Akli Adjaoute Systems and methods for dynamic detection and prevention of electronic fraud and network intrusion
US20030097330A1 (en) * 2000-03-24 2003-05-22 Amway Corporation System and method for detecting fraudulent transactions
US20030208439A1 (en) * 2002-05-03 2003-11-06 Rast Rodger H. Automated soft limit control of electronic transaction accounts
US20040063424A1 (en) * 2002-09-27 2004-04-01 Silberstein Eli J. System and method for preventing real-time and near real-time fraud in voice and data communications
US20040093316A1 (en) * 1997-04-15 2004-05-13 Cerebrus Solutions Ltd. Method and apparatus for interpreting information
US20040162781A1 (en) * 2003-02-14 2004-08-19 Kennsco, Inc. Monitoring and alert systems and methods
US20060026102A1 (en) * 2004-07-28 2006-02-02 Pitney Bowes Incorporated Fraud detection mechanism adapted for inconsistent data collection
US7058597B1 (en) * 1998-12-04 2006-06-06 Digital River, Inc. Apparatus and method for adaptive fraud screening for electronic commerce transactions
US20060149674A1 (en) * 2004-12-30 2006-07-06 Mike Cook System and method for identity-based fraud detection for transactions using a plurality of historical identity records
US20060236395A1 (en) * 2004-09-30 2006-10-19 David Barker System and method for conducting surveillance on a distributed network
US7497374B2 (en) * 2004-09-17 2009-03-03 Digital Envoy, Inc. Fraud risk advisor

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6094643A (en) * 1996-06-14 2000-07-25 Card Alert Services, Inc. System for detecting counterfeit financial card fraud
US20040093316A1 (en) * 1997-04-15 2004-05-13 Cerebrus Solutions Ltd. Method and apparatus for interpreting information
US7058597B1 (en) * 1998-12-04 2006-06-06 Digital River, Inc. Apparatus and method for adaptive fraud screening for electronic commerce transactions
US6405318B1 (en) * 1999-03-12 2002-06-11 Psionic Software, Inc. Intrusion detection system
US20030097330A1 (en) * 2000-03-24 2003-05-22 Amway Corporation System and method for detecting fraudulent transactions
US20020082886A1 (en) * 2000-09-06 2002-06-27 Stefanos Manganaris Method and system for detecting unusual events and application thereof in computer intrusion detection
US20020133721A1 (en) * 2001-03-15 2002-09-19 Akli Adjaoute Systems and methods for dynamic detection and prevention of electronic fraud and network intrusion
US20030208439A1 (en) * 2002-05-03 2003-11-06 Rast Rodger H. Automated soft limit control of electronic transaction accounts
US20040063424A1 (en) * 2002-09-27 2004-04-01 Silberstein Eli J. System and method for preventing real-time and near real-time fraud in voice and data communications
US20040230530A1 (en) * 2003-02-14 2004-11-18 Kenneth Searl Monitoring and alert systems and methods
US20040162781A1 (en) * 2003-02-14 2004-08-19 Kennsco, Inc. Monitoring and alert systems and methods
US20060026102A1 (en) * 2004-07-28 2006-02-02 Pitney Bowes Incorporated Fraud detection mechanism adapted for inconsistent data collection
US7497374B2 (en) * 2004-09-17 2009-03-03 Digital Envoy, Inc. Fraud risk advisor
US20060236395A1 (en) * 2004-09-30 2006-10-19 David Barker System and method for conducting surveillance on a distributed network
US20060149674A1 (en) * 2004-12-30 2006-07-06 Mike Cook System and method for identity-based fraud detection for transactions using a plurality of historical identity records

Cited By (68)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11622311B2 (en) 2006-03-02 2023-04-04 Tango Networks, Inc. Calling line/name identification of enterprise subscribers in mobile calls
US10616818B2 (en) 2006-03-02 2020-04-07 Tango Networks, Inc. System and method for speeding call originations to a variety of devices using intelligent predictive techniques for half-call routing
US10462726B2 (en) * 2006-03-02 2019-10-29 Tango Networks, Inc. Call flow system and method for use in a legacy telecommunication system
US10674419B2 (en) 2006-03-02 2020-06-02 Tango Networks, Inc. System and method for executing originating services in a terminating network for IMS and non-IMS applications
US20190110240A1 (en) * 2006-03-02 2019-04-11 Tango Networks, Inc. Call flow system and method for use in a legacy telecommunication system
US10904816B2 (en) 2006-03-02 2021-01-26 Tango Networks, Inc. Call flow system and method for use in a legacy telecommunication system
US10939255B2 (en) 2006-03-02 2021-03-02 Tango Networks, Inc. System and method for enabling call originations using SMS and hotline capabilities
US10945187B2 (en) 2006-03-02 2021-03-09 Tango Networks, Inc. Call flow system and method for use in a VoIP telecommunication system
US11871216B2 (en) 2006-03-02 2024-01-09 Tango Networks, Inc. Call flow system and method for use in a legacy telecommunication system
US11849380B2 (en) 2006-03-02 2023-12-19 Tango Networks, Inc. Call flow system and method for use in a VoIP telecommunication system
US11405846B2 (en) 2006-03-02 2022-08-02 Tango Networks, Inc. Call flow system and method for use in a legacy telecommunication system
US11412435B2 (en) 2006-03-02 2022-08-09 Tango Networks, Inc. System and method for executing originating services in a terminating network for IMS and non-IMS applications
US11811554B2 (en) 2006-03-02 2023-11-07 Tango Networks, Inc. Mobile application gateway for connecting devices on a cellular network with individual enterprise and data networks
US10567930B2 (en) 2006-03-02 2020-02-18 Tango Networks, Inc. System and method for enabling call originations using SMS and hotline capabilities
US11638126B2 (en) 2006-03-02 2023-04-25 Tango Networks, Inc. System and method for enabling call originations using SMS and hotline capabilities
US20080162202A1 (en) * 2006-12-29 2008-07-03 Richendra Khanna Detecting inappropriate activity by analysis of user interactions
US8403210B2 (en) * 2007-08-09 2013-03-26 Kobil Systems Gmbh Installation-free chip card reader for secure online banking
US20090044268A1 (en) * 2007-08-09 2009-02-12 Kobil Systems Gmbh Installation-free chip card reader for secure online banking
US20100174660A1 (en) * 2007-12-05 2010-07-08 Bce Inc. Methods and computer-readable media for facilitating forensic investigations of online transactions
US20100005013A1 (en) * 2008-07-03 2010-01-07 Retail Decisions, Inc. Methods and systems for detecting fraudulent transactions in a customer-not-present environment
US20100036771A1 (en) * 2008-08-11 2010-02-11 Laru Corporation System, method an computer program product for processing automated clearing house (ACH) historical data
US11838118B2 (en) * 2010-11-29 2023-12-05 Biocatch Ltd. Device, system, and method of detecting vishing attacks
US11330012B2 (en) 2010-11-29 2022-05-10 Biocatch Ltd. System, method, and device of authenticating a user based on selfie image or selfie video
US11210674B2 (en) 2010-11-29 2021-12-28 Biocatch Ltd. Method, device, and system of detecting mule accounts and accounts used for money laundering
US20210329030A1 (en) * 2010-11-29 2021-10-21 Biocatch Ltd. Device, System, and Method of Detecting Vishing Attacks
US10897482B2 (en) * 2010-11-29 2021-01-19 Biocatch Ltd. Method, device, and system of back-coloring, forward-coloring, and fraud detection
US11425563B2 (en) 2010-11-29 2022-08-23 Biocatch Ltd. Method, device, and system of differentiating between a cyber-attacker and a legitimate user
US11580553B2 (en) 2010-11-29 2023-02-14 Biocatch Ltd. Method, device, and system of detecting mule accounts and accounts used for money laundering
US9105009B2 (en) 2011-03-21 2015-08-11 Microsoft Technology Licensing, Llc Email-based automated recovery action in a hosted environment
US9646155B2 (en) 2011-09-09 2017-05-09 Hewlett Packard Enterprise Development Lp Systems and methods for evaluation of events based on a reference baseline according to temporal position in a sequence of events
US20130133024A1 (en) * 2011-11-22 2013-05-23 Microsoft Corporation Auto-Approval of Recovery Actions Based on an Extensible Set of Conditions and Policies
US20130133066A1 (en) * 2011-11-22 2013-05-23 Computer Associates Think, Inc Transaction-based intrusion detection
US8776228B2 (en) * 2011-11-22 2014-07-08 Ca, Inc. Transaction-based intrusion detection
US9460303B2 (en) 2012-03-06 2016-10-04 Microsoft Technology Licensing, Llc Operating large scale systems and cloud services with zero-standing elevated permissions
US20160364576A1 (en) * 2012-03-06 2016-12-15 Microsoft Technology Licensing, Llc Operating large scale systems and cloud services with zero-standing elevated permissions
US20130291099A1 (en) * 2012-04-25 2013-10-31 Verizon Patent And Licensing, Inc. Notification services with anomaly detection
US8949271B2 (en) * 2012-10-23 2015-02-03 Liebherr-Werk Nenzing Gmbh Method for monitoring a number of machines and monitoring system
US20140115002A1 (en) * 2012-10-23 2014-04-24 Liebherr-Werk Nenzing Gmbh Method for monitoring a number of machines and monitoring system
US10102530B2 (en) * 2012-10-30 2018-10-16 Fair Isaac Corporation Card fraud detection utilizing real-time identification of merchant test sites
US20150096034A1 (en) * 2013-09-30 2015-04-02 Hewlett-Packard Development Company, L.P. Determine Anomalies in Web Application Code Based on Authorization Checks
US9171168B2 (en) * 2013-09-30 2015-10-27 Hewlett-Packard Development Company, L.P. Determine anomalies in web application code based on authorization checks
US10037532B2 (en) * 2014-11-13 2018-07-31 Mastercard International Incorporated Systems and methods for detecting transaction card fraud based on geographic patterns of purchases
US20160140562A1 (en) * 2014-11-13 2016-05-19 Mastercard International Incorporated Systems and methods for detecting transaction card fraud based on geographic patterns of purchases
US11282083B2 (en) * 2014-11-13 2022-03-22 Mastercard International Incorporated Systems and methods for detecting transaction card fraud based on geographic patterns of purchases
US20180336565A1 (en) * 2014-11-13 2018-11-22 Mastercard International Incorporated Systems and methods for detecting transaction card fraud based on geographic patterns of purchases
US9922071B2 (en) 2014-12-19 2018-03-20 International Business Machines Corporation Isolation anomaly quantification through heuristical pattern detection
US9910882B2 (en) 2014-12-19 2018-03-06 International Business Machines Corporation Isolation anomaly quantification through heuristical pattern detection
US10649977B2 (en) 2014-12-19 2020-05-12 International Business Machines Corporation Isolation anomaly quantification through heuristical pattern detection
US9762585B2 (en) 2015-03-19 2017-09-12 Microsoft Technology Licensing, Llc Tenant lockbox
US11075917B2 (en) 2015-03-19 2021-07-27 Microsoft Technology Licensing, Llc Tenant lockbox
US10931682B2 (en) 2015-06-30 2021-02-23 Microsoft Technology Licensing, Llc Privileged identity management
US11323451B2 (en) 2015-07-09 2022-05-03 Biocatch Ltd. System, device, and method for detection of proxy server
US10229100B1 (en) 2016-04-22 2019-03-12 Intuit Inc. Augmented reality form fill
WO2017189114A1 (en) * 2016-04-27 2017-11-02 Intuit Inc. Detection of aggregation failures from correlation of change point across independent feeds
US11055395B2 (en) 2016-07-08 2021-07-06 Biocatch Ltd. Step-up authentication
US10460298B1 (en) 2016-07-22 2019-10-29 Intuit Inc. Detecting and correcting account swap in bank feed aggregation system
US10387968B2 (en) 2017-01-26 2019-08-20 Intuit Inc. Method to determine account similarity in an online accounting system
US10726501B1 (en) 2017-04-25 2020-07-28 Intuit Inc. Method to use transaction, account, and company similarity clusters derived from the historic transaction data to match new transactions to accounts
US10862921B2 (en) 2017-07-31 2020-12-08 Cisco Technology, Inc. Application-aware intrusion detection system
WO2019027684A1 (en) * 2017-07-31 2019-02-07 Cisco Technology, Inc. Application-aware intrusion detection system
US10956986B1 (en) 2017-09-27 2021-03-23 Intuit Inc. System and method for automatic assistance of transaction sorting for use with a transaction management service
US10956075B2 (en) 2018-02-02 2021-03-23 Bank Of America Corporation Blockchain architecture for optimizing system performance and data storage
US11176101B2 (en) 2018-02-05 2021-11-16 Bank Of America Corporation System and method for decentralized regulation and hierarchical control of blockchain architecture
US10776462B2 (en) * 2018-03-01 2020-09-15 Bank Of America Corporation Dynamic hierarchical learning engine matrix
US20190272360A1 (en) * 2018-03-01 2019-09-05 Bank Of America Corporation Dynamic hierarchical learning engine matrix
US20220215091A1 (en) * 2021-01-07 2022-07-07 Intuit Inc. Method and system for detecting coordinated attacks against computing resources using statistical analyses
US11914704B2 (en) * 2021-01-07 2024-02-27 Intuit Inc. Method and system for detecting coordinated attacks against computing resources using statistical analyses
US11606353B2 (en) 2021-07-22 2023-03-14 Biocatch Ltd. System, device, and method of generating and utilizing one-time passwords

Similar Documents

Publication Publication Date Title
US7815106B1 (en) Multidimensional transaction fraud detection system and method
US20240037225A1 (en) Systems and methods for detecting resources responsible for events
US10437831B2 (en) Identifying insider-threat security incidents via recursive anomaly detection of user behavior
Wang et al. Research note—A value-at-risk approach to information security investment
US6347374B1 (en) Event detection
EP1875653B1 (en) System and method for fraud monitoring, detection, and tiered user authentication
US7555482B2 (en) Automatic detection of abnormal data access activities
US8032449B2 (en) Method of processing online payments with fraud analysis and management system
US7539644B2 (en) Method of processing online payments with fraud analysis and management system
US8745759B2 (en) Associated with abnormal application-specific activity monitoring in a computing network
US8266701B2 (en) Systems and methods for measuring cyber based risks in an enterprise organization
US20040064401A1 (en) Systems and methods for detecting fraudulent information
CN113542279B (en) Network security risk assessment method, system and device
US20030188194A1 (en) Method and apparatus for real-time security verification of on-line services
US20050160286A1 (en) Method and apparatus for real-time security verification of on-line services
US20090089869A1 (en) Techniques for fraud monitoring and detection using application fingerprinting
CN110443048A (en) Data center looks into number system
KR20070039478A (en) Database user behavior monitor system and method
JP2005526311A (en) Method and apparatus for monitoring a database system
Goode et al. Detecting complex account fraud in the enterprise: The role of technical and non-technical controls
KR20040035572A (en) Integrated Emergency Response System in Information Infrastructure and Operating Method therefor
KR20090037538A (en) Method for risk analysis using information asset modelling
US20050131828A1 (en) Method and system for cyber-security damage assessment and evaluation measurement (CDAEM)
CN111915468B (en) Network anti-fraud active inspection and early warning system
CN111611519A (en) Method and device for detecting personal abnormal behaviors

Legal Events

Date Code Title Description
AS Assignment

Owner name: VERIZON CORPORATE SERVICES GROUP INC., NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MCCONNELL, JAMES TRENT;REEL/FRAME:017465/0794

Effective date: 20050503

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: VERIZON PATENT AND LICENSING INC., NEW JERSEY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:VERIZON CORPORATE SERVICES GROUP INC.;REEL/FRAME:033421/0403

Effective date: 20140409

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

AS Assignment

Owner name: RAKUTEN, INC., JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:VERIZON PATENT AND LICENSING INC.;REEL/FRAME:042103/0675

Effective date: 20160531

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552)

Year of fee payment: 8

AS Assignment

Owner name: RAKUTEN GROUP, INC., JAPAN

Free format text: CHANGE OF NAME;ASSIGNOR:RAKUTEN, INC.;REEL/FRAME:058314/0657

Effective date: 20210901

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12